Security Guidelines

Purpose

The purpose of this policy is to establish conditions for use of, and requirements for appropriate security for College Information Technology Resources. College Information Technology Resources is defined as all computers, computer systems, servers, other information systems (e.g., PDAs), telecommunications equipment (e.g., hubs, switches, wireless) or devices that are owned by the College or that connect to University network assets. College Information Technology Resources also include all College data, user data, programs or system software, or configuration files that are contained in or transmitted via College computers, networks or other information systems.

Scope

These guidelines are effective at all College locations and applies to all system users at any location, including those using privately owned computers or systems to access College Information Technology Resources. These guidelines represent the minimum requirements that must be in place. These guidelines are not intended to inhibit access to information services that College employees and students have made accessible for public inquiry (e.g., gopher, WWW, or anonymous ftp). However, use of such services to access or attempt to access information not intended for public display or use, or to circumvent or violate the responsibilities of system users or system administrators as defined in these guidelines, is prohibited.

Guidelines

I. General

Appropriate security shall include protection of the privacy of information, protection of information against unauthorized modification, protection of systems against denial of service, and protection of systems against unauthorized access.

College Information Technology Resources may be accessed or used only by individuals authorized by the College. Issuance of an account to a system user must be approved by an authorized College representative. Any computer, computer system, or network or device physically connected to or accessing College Information Technology Resources will be subject to and must comply with the College of Public Health Information Technology Password Guidelines, Remote Access Guidelines, Acceptable Use Guidelines, and Anti-Virus Guidelines (see policies and guidelines). Any question with regard to whether a specific use is authorized must be referred to the College Director of Information Technology.

In order to protect the security and integrity of College Information Technology Resources against unauthorized or improper use, and to protect authorized users from the effects of such abuse or negligence, the College reserves the rights, at its sole discretion, to limit, restrict, or terminate any account or use of College Information Technology Resources, and to inspect, copy, remove or otherwise alter any data, file, or system resources which may undermine authorized use. The College also reserves the right to inspect or check the configuration of College Information Technology Resources for compliance with these guidelines, and to take such other actions as in its sole discretion it deems necessary to protect College Information Technology Resources. The College further reserves the right to enforce these provisions without prior notice to the user.

The College shall not be liable for, and the user assumes the risk of, inadvertent loss of data or interference with files resulting from the College’s efforts to maintain the privacy, integrity and security of the College’s Information Technology Resources.

II. Responsibilities Related to Access to and Use of Computer and Network Resources

The College Director of Information Technology is responsible for:

  • Developing and implementing College-wide policies, guidelines, controls and procedures to protect the College’s Information Technology Resources from intentional or inadvertent modification, disclosure or destruction.
  • Monitoring user adherence to these guidelines and policies.
  • Authorizing security experiments or security scans affecting Information Technology Resources (except for those responsibilities specifically accorded to system administrators in these guidelines).
  • Coordinating response to computer and network security incidents to include, but not be limited to, notification of incidents to University Campus Security Services, University Information Technology Security Officer, Internal Audit and other University offices as appropriate, and contact with Incident Response teams external to the University.
  • Educating the user community in the ethical use of Information Technology Resources.

Administrative Officers are responsible for:

  • Developing and implementing additional security policies and guidelines specific to their administrative units in coordination with the College Director of Information Technology, and in consonance with these guidelines. These policies and guidelines will guide System Administrators within the departments and administrative units in the formulation of detailed security procedures, and are considered to be a part of this documented statement.
  • Authorizing access to computer systems, including the purpose of the account, and issuance of passwords, or designating in writing the individual(s) who will exercise this responsibility for the various systems and networks within the department or administrative unit.
  • Ensuring mechanisms are in place to obtain acknowledgment from System Users that they understand, and agree to comply with College and Department/Unit security policies. Such acknowledgment must be written unless an exception is approved in accordance with the Exceptions and Exemptions section of these guidelines.
  • Ensuring technical or procedural means are in place to facilitate determining the User ID responsible for unauthorized activity in the event of a security incident.

System Users are responsible for:

  • Understanding, agreeing to and complying with all security guidelines and policies governing College Information Technology Resources and with all federal, state and local laws, including laws applicable to the use of computer facilities, electronically encoded data and computer software.
  • Safeguarding passwords and/or other sensitive access control information related to their own accounts or network access. Such information must not be transmitted to, shared with, or divulged to others. Similarly, system users must recognize the sensitivity of all other passwords and computer or network access information in any form, and must not use, copy, transmit, share or divulge such information, nor convert the same from encrypted or enciphered form to unencrypted form or legible text. Any attempt to conduct such actions by a system user is a violation of these guidelines.
  • Taking reasonable precautions, including personal password maintenance and file protection measures, to prevent unauthorized use of their accounts, programs or data by others.
  • Ensuring accounts or computer and network access privileges are restricted to their own use only. System users must not share their accounts, nor grant accounts to others nor otherwise extend their own authorized computer and network access privileges to others.
  • Ensuring the secure configuration and operation of Internet services (e.g., WWW, FTP, e-mail, Telnet) they may establish on machines connected to College Information Technology Resources.
  • Using accounts or network access only for the purposes for which they were authorized and only for College/University-related activities. Use of accounts or network access to conduct a personal commercial enterprise, or to promote or advertise a personal commercial enterprise is prohibited. Transmitting or making accessible offensive, obscene or harassing materials, and transmitting or making accessible chain letters, etc., are prohibited. Unauthorized mass electronic mailings and news posts are prohibited. Conducting or attempting to conduct security experiments or security scans involving or using College Information Technology Resources without the specific authorization of the College Director of Information Technology is prohibited. The intentional or negligent deletion or alteration of information or data of others, intentional or negligent misuse of system resources, intentionally or negligently introducing or spreading computer viruses, and permitting misuse of system resources by others are prohibited.
  • Representing themselves truthfully in all forms of electronic communication. System users must not misrepresent themselves as others in electronic communications. Similarly, system users must not cause a system to assume the network identity or source address of another Information Technology Resource for purposes of masquerading as that resource. System users must not register Information Technology Resources that have Internet addresses within the University of Iowa Internet domain under any non-University of Iowa domain name. System users must not provide Domain Name Service for any non-University of Iowa Information Technology Resource.
  • Respecting the privacy of electronic communication. System users must not obtain nor attempt to obtain any electronic communication or information not intended for them. In particular, system users must not attempt to intercept or inspect information (e.g., packets) en route through College or University Information Technology Resources, nor use College Information Technology Resources to attempt to intercept or inspect information en route through networks elsewhere.
  • Respecting the physical hardware and network configuration of University-owned networks. System users must not extend the physical network on which their system resides without specific authorization of the College Director of Information Technology (e.g., wiring, jacks, hubs).
  • Treating non-College Information Technology Resources in accordance with these guidelines. College Information Technology Resources must not be used to attempt to breach the security or security policy of other sites (either willfully or negligently). An action or attempted action affecting non-College Information Technology Resources that would violate these guidelines if performed on College Information Technology Resources is prohibited.

Unless otherwise stated, system administrators have the same responsibilities as system users. However, because of their position, system administrators have additional responsibilities and privileges for specific systems or networks. For systems which they directly administer, system administrators are responsible for:

  • Preparing and maintaining security procedures that implement University, College and Department/Unit security policies/guidelines in their local environment and that address such details as access control, backup and disaster recovery mechanisms and continuous operation in case of power outages.
  • Taking reasonable precautions to guard against corruption, compromise or destruction of College Information Technology Resources. Reasonable precautions for system administrators exceed those authorized for system users. Specifically, system administrators may conduct security scans of systems which they directly administer. However, they may not conduct security scans for any other system or network. Similarly, system administrators may conduct dictionary comparisons or otherwise check password information related to system users on the systems for which they have administrative responsibility. They may not do so on other systems. System administrators may also intercept or inspect information en route through a network, but only information originating from or destined for systems for which they have direct administrative responsibility and only for purposes of diagnosing system or network problems. Exceptions must be authorized by the College Director of Information Technology in accordance with these guidelines.
  • Treating the files of system users as private. It is recognized that a system administrator may have incidental contact with system user files, including electronic mail, in the course of his or her duties. The contents of such files must be kept private. Deliberate access to system user files is authorized only in the event of a suspected security breach, if essential to maintain the system(s) or network(s) for which the system administrator has direct administrative responsibility, or if requested by or coordinated with the system user.
  • Taking reasonable and appropriate steps to see that all hardware and software license agreements are faithfully executed on all systems, networks, and servers.
  • Ensuring that College network addresses are assigned to those entities or organizations that are part of the College of Public Health only. System administrators must not assign network addresses to non-College entities or organizations. System administrators may in some cases provide Domain Name Service for non-College Information Technology Resources, but only with the approval of the College Director of Information Technology.
  • Limiting access to root or privileged supervisory accounts. In general, only College system administrators should have access to such accounts. System users should generally not be given unrestricted access to root or privileged supervisory accounts. As with all accounts, authorization for root or privileged supervisory accounts must be approved in accordance with these guidelines.

III. Copyright and Intellectual Property

Because electronic information is volatile and easily reproduced, respect for the work and personal expression of others is especially critical in computer environments. Violations of authorial integrity, including plagiarism, invasion of privacy, unauthorized access, and trade secret and copyright violation using University computer and network resources are prohibited. Computer software protected by copyright is not to be copied from, into, or by using College Information Technology Resources, except as permitted by law or by the license or contract with the owner of the copyright.

IV. Reporting Security Incidents or System Vulnerabilities

Individuals aware of any breach of information or network security, or compromise of computer or network security safeguards, must report such situations to the appropriate College system administrator. The College Director of Information Technology, in coordination with appropriate University offices, will determine action and resolution to incident or system vulnerability. When warranted by such preliminary review, University Campus Security Services, University Information Technology Security Officer, internal Audit, and other University departments or law enforcement authorities will be contacted as appropriate.

Sanctions for Policy Violations

Violation of any provision of these guidelines may result in:

  • restriction or termination of a system user’s access to College Information Technology Resources, including the summary suspension of such access, and/or rights pending further disciplinary and/or judicial action;
  • the initiation of legal action by the College, University and/or respective federal, state or local law enforcement officials, including but not limited to, criminal prosecution under appropriate federal, state or local laws;
  • the requirement of the violator to provide restitution for any improper use of service; and
  • disciplinary sanctions, which may include dismissal or expulsion.

Course and Work-Related Access to College Information Technology Resources

Many academic course and work-related activities require the use of computers, networks and systems of the College. In the event of an imposed restriction or termination of access to some or all College computers and systems, a user enrolled in such courses or involved in computer-related work activities may be required to use alternative facilities, if any, to satisfy the obligation of such courses or work activity. However, users are advised that if such alternative facilities are unavailable or not feasible, it may be impossible to complete requirements for course work or work responsibility. The College views misuse of computers as a serious matter, and may restrict access to its facilities even if the user is unable to complete course requirements or work responsibilities as a result.

Exceptions and Exemptions

Exception to or exemptions from any provision of these guidelines must be approved by the College Director of Information Technology. Similarly, any questions about the contents of these guidelines, or the applicability of these guidelines to a particular situation should be referred to the College Director of Information Technology.